Feishu Bot Manager — 实用工具
v0.0.1Feishu Bot Manager是一款实用的工具技能,能够帮助用户完成相关任务,提升工作效率。
0· 238·0 当前·0 累计
by @twistedcz 安全扫描
OpenClaw
可疑
medium confidenceThe skill mostly does what it says (edit ~/.openclaw/openclaw.json, backup, add bindings, set dmScope, restart Gateway), but there are internal inconsistencies and hidden assumptions (missing declared config path, an odd package.json dependency, and a validator that contradicts the documented binding modes) that warrant caution before installing.
评估建议
This skill appears to implement a Feishu bot account manager, but review a few issues before installing:
- The code directly reads and writes your OpenClaw config file at ~/.openclaw/openclaw.json and creates backups under ~/.openclaw/backups. The skill metadata did not declare this config-path requirement, so the platform may not warn you. Make sure you have a current manual backup and test in a non-production environment first.
- The skill will store the provided App Secret in your openclaw....详细分析 ▾
ℹ 用途与能力
The code's behavior (adding Feishu accounts to ~/.openclaw/openclaw.json, creating backups, adding bindings, setting session.dmScope, and restarting the Gateway) matches the skill description. However, the skill metadata declares no required config paths while the code directly reads/writes $HOME/.openclaw/openclaw.json and ~$HOME/.openclaw/backups — this is an inconsistency. package.json lists an npm dependency on 'readline' (a Node builtin) which is unnecessary and unexpected.
✓ 指令范围
SKILL.md instructions (interactive prompts and CLI flags for app id/secret, account id, agent id, routing mode) align with index.js. The runtime actions are limited to reading/writing the OpenClaw config and invoking the 'openclaw' CLI to set dmScope and restart the Gateway — all within the documented scope. The skill does not contact external endpoints or exfiltrate data, but it does persist secrets (appSecret) into the config file as expected for this purpose.
ℹ 安装机制
There is no install spec (instruction-only style), and code files are bundled. That lowers install risk compared with arbitrary downloads. Still, package.json contains an unnecessary external dependency ('readline') which is unusual and may confuse users or installers.
⚠ 凭证需求
The skill expects and manipulates the user's OpenClaw configuration file at ~/.openclaw/openclaw.json but the declared metadata lists no required config paths — the platform won't warn users that the skill will access and change a local config file. The skill legitimately asks for App ID and App Secret (needed for adding a bot) and writes them into the config; that is expected but sensitive. The included validator (lib/validator.js) contains a check that effectively requires binding.match.peer.id for all bindings, which contradicts account-level bindings described in documentation and may lead to false validation errors or confusion.
ℹ 持久化与权限
The skill is user-invocable and not always-enabled; it does not request persistent platform privileges. It will, however, run 'openclaw config set ...' and 'openclaw gateway restart' which modify runtime behavior and restart a service — appropriate for this tool but potentially disruptive; users should expect the Gateway restart side effects.
⚠ index.js:169
Shell command execution detected (child_process).
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
安装命令
点击复制官方npx clawhub@latest install feishu-bot-manager-twisted
镜像加速npx clawhub@latest install feishu-bot-manager-twisted --registry https://cn.longxiaskill.com 镜像可用
本土化适配说明
Feishu Bot Manager — 实用工具 安装说明: 安装命令:["openclaw skills install feishu-bot-manager-twisted","npx clawhub@latest install feishu-bot-manager-twisted"] 该技能用于飞书相关操作,可能需要相应的平台账号或API密钥